Congress puts focus on cybersecurity for suicide lifeline, voting systems, NOTAM

Senators are pushing to improve the cybersecurity of the national 988 Suicide & Crisis Lifeline and election infrastructure, after passing a bill to upgrade the resiliency of the aviation sector’s notification system for flight hazards.

Sens. Markwayne Mullin (R-OK) and Kyrsten Sinema (I-AZ) introduced a bill designed to strengthen the cybersecurity protocols at the 988 Lifeline, while Mark Warner (D-VA) and Susan Collins (R-ME) introduced legislation that would require voting systems to undergo simulated attacks as part of their standard certification process.

Both bills come in response to real-world security concerns that have alarmed lawmakers.

Mullin and Sinema noted that the 988 Lifeline service suffered a daylong outage in December 2022 after a cyberattack exposed vulnerabilities in the system. Callers were met with a recorded message informing them of the outage.

“Arizonans in crisis and need of help should always be able to count on the 988 Suicide & Crisis Lifeline,” Sinema said. “We’re working to ensure last year’s cyberattack on the 988 Lifeline does not happen again so Arizonans can continue to rely on the hotline for help.”

Created in 2005, the Lifeline provides 24/7, free and confidential support for people in distress and runs a network of over 200 crisis centers. A 2018 bill assigned the number 988 to the hotline.

Mullin called increased cybersecurity measures for the 988 Lifeline “imperative to suicide prevention” because those experiencing mental health crises must have timely support.

“Every life lost to suicide is one too many,” he said.

The bill would force the chief information security officer at the Department of Health and Human Services to coordinate with 988’s administrators to resolve vulnerabilities and provide added protection. The administrators would need to report all vulnerabilities to the government within 24 hours of discovery.

The Secure IT Act

The voting systems bill by Warner and Collins would order the Election Assistance Commission (EAC) to require any system seeking certification for use in U.S. elections to undergo penetration testing before it is approved.

“If we’re going to defeat our adversaries, we have to be able to think like they do. The SECURE IT Act would allow researchers to step into the shoes of cybercriminals and uncover vulnerabilities and weaknesses that might not be found otherwise,” Warner said.

Collins added that the bill will “protect and bolster public confidence in our elections.” The election industry in the U.S. is dominated by three companies — Election Systems & Software, Dominion and Hart InterCivic.

Voting system security has become one of the hottest cybersecurity topics mulled by Congress in recent years after several close calls.

Two weeks ago, Eric Goldstein, executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency (CISA), and Army Maj. Gen. William Hartman, the chief of the Cyber National Mission Force (CNMF), told the RSA conference that they were forced to take actions to protect the 2020 presidential election from Iranian hackers.

In 2020 the CNMF — U.S. Cyber Command’s elite digital corps — was conducting a reconnaissance mission in foreign cyberspace when it detected that Pioneer Kitten, an Iran-linked hacking group, had “gained access to a city's local infrastructure that would be used to record the results of voting for the 2020 elections.”

CISA contacted the impacted jurisdiction and worked through incident response, while CNMF “executed cyber operations to ensure the malicious cyber actor no longer had access to the network” and could not return to the system, Hartman said.

The senators noted that the Help America Vote Act, passed in 2002, mandates that the EAC provide funding for the “testing and certification, decertification, and recertification of voting system hardware and software by accredited laboratories.”

But the law does not explicitly demand penetration testing, something the new bill would mandate.

The bill would order the EAC and National Institute of Standards and Technology to accredit penetration testing entities that can be used to test voting machines.

A voluntary Coordinated Vulnerability Disclosure Program would also be created specifically for election systems.

“This bill will allow independent election system researchers like myself to contribute more fully to the maintaining public confidence in our elections,” said Juan Gilbert, chair of the Computer & Information Science & Engineering Department at the University of Florida.

Vetted researchers would be given access to voting systems voluntarily provided by manufacturers, allowing them to discover vulnerabilities and disclose them to both the EAC and manufacturers.

Election Systems & Software CEO Tom Burt backed the measure, writing that the company has “long supported and taken part in the independent testing of its election equipment.”

Burt said programmatic testing performed by independent security experts “helps ensure equipment stays ahead of threats” and “helps increase voter confidence in the overall security of elections.”

“I appreciate Senator Warner’s and Senator Collins’ work to further secure our nation’s elections,” he said.

NOTAM bill sails through Senate

Another cyber bill made progress Tuesday night on the Senate floor.

The NOTAM Improvement Act — introduced in January after a headline-grabbing outage that caused 7,000 flight delays and more than 1,000 cancellations — would require the Federal Aviation Administration to establish a task force to update and strengthen the resiliency and cybersecurity of the NOTAM system, which alerts pilots of safety and location hazards on flight routes.

“The system failure that grounded all flights in January cannot happen again,” said Shelley Moore Capito (R-WV) who is sponsoring the bill with Amy Klobuchar (D-MN) and Jerry Moran (R-KS).

The Senate amended and passed the legislation by unanmious consent, essentially sending it back to the House. That chamber passed its own version in January by a vote of 424-4. The House version’s sponsor is Rep. Pete Stauber (R-MN).

“I encourage the House to quickly pass this amended version and send it to the president’s desk, so we can prevent similar outages in the future,” Capitol said.

The task force would be composed of representatives from air carriers and airports; airline pilot, aircraft dispatcher and FAA personnel unions; and aviation safety and cybersecurity experts.